The following is a list of best practices that were identified to develop, identify, promulgate, and encourage the adoption of commonly accepted, good security practices. They represent 10 of the highest priority and most frequently recommended security practices as a place to start for today's operational systems. These practices address dimensions of information security such as policy, process, people, and technology, all of which are necessary for deployment of a successful security process. This initial set of practices is targeted toward executive leadership in industry. When adopted, these practices catalyze a risk-management-based approach to ensuring the survivability and security of critical information assets.
|General Management||System & Network Management|
|Policy||Authentication & Authorization|
|Risk Management||Monitor & Audit|
|Security Architecture & Design||Physical Security|
|User Issues||Continuity Planning & Disaster Recovery|
Managers throughout the organization should consider:
ACCOUNTABILITY AND TRAINING:
Users include all those who have active accounts, including employees, partners, suppliers,
and vendors. Users consider information security to be a part of their responsibilities, receive
training in all policy topics, and consequences related to policy violations.
Ensure that there is adequate in-house expertise or explicitly outsourced expertise for all
supported technologies (e.g. host and network operating systems, routers, firewalls,
monitoring tools, and applications software), including the secure operation of those
Ensure proper access controls are in place in systems (i.e., user IDs and passwords that are
unique and forced to be changed frequently by the system)
Establish a range of security controls to protect assets residing on systems and
Networks by using the following tools:
Regularly check for
SECURE ACCESS CONFIGURATION:
REMOTE AND THIRD PARTIES:
Develop business continuity and disaster recovery plans for critical assets and ensure that they are periodically tested and found effective.
Elements of a BC plan, at a minimum, should include, but are not limited to, the following:
a. Procedures for response and recovery that contain predetermined prioritized actions on how to:
i. Respond to a disruptive event
ii. Activate the plan
iii. Recover critical business processes
iv. Restore the business back to its state before the incident or disaster occurred
b. Alternate work locations and work procedures (if necessary) must be identified in case the primary site is unavailable. The plan should also include procedures to equip the alternate work site (telecommunication systems, PCs, and other devices), and contracts with third parties.
c. Procedures to safeguard and reconstruct the home site.
d. Procedures to safeguard the alternate site.
e. Reconstruction plans for the recovery of all systems resources at the original location.
f. Critical information (such as current names, telephone/pager number of key personnel, etc) on continuity teams, affected staff, customers and suppliers.
g. Major upstream / downstream applications that contain information system groups that may be affected and critical contact information must be identified.
h. Time frames for restoring systems to ensure required transaction processing times are met and disruption time is minimized
Elements of a DR plan, at a minimum, should include, but are not limited to, the following:
a. The identification of possible disasters that could interrupt access to systems for long periods of time.
b. Directions to Off-Site Storage locations
c. Business recovery location
d. Disaster recovery organization chart/list – action team call tree forinternal contacts and their locations
e. Hardware and other required inventory needed in the event of a disaster
f. Application and other required inventory needed in the event of a disaster
g. Operating system and other required inventory needed in the event of a disaster
h. Vendor name(s) and contact information
i. Media, records, and documentation needed for restoration
j. Recovery procedures and priority of servers, applications, and other dependent systems
k. Time frames for restoring systems to ensure required transaction processing
l. Critical file and work in process assessment report
m. Recovery status report